[Soekris] IPSec without a crypto card?
Devin Reade
gdr at gno.org
Fri Nov 2 17:04:25 UTC 2007
I have a need to deploy a number of router/firewalls to remote sites
where having an "appliance" with no moving parts is desirable, so I
was thinking about using Soekris boxes for the purpose.
The planned configuration is not uncommon:
net5501-70
OpenBSD installed on a CF card, with read-only filesystems
an internal modem for dialup ppp (probably the USR Performance Pro)
an external modem for dial-in console access (separate phone line)
dynamic IP on the upstream side
static IPs on the internal network
IPSec between each remote site and a central data center (but not
between remote sites)
_maybe_ a caching DNS server for the internal network
_maybe_ a DHCP server for the internal network
Network traffic over the IPSec tunnels is expected to be very light.
Question: Does anyone have a feel for whether or not I'm going to
need a crypto card for doing IPSec in this configuration?
I have in the past run the following without problems:
- moderately busy non-IPSec OpenBSD firewalls on low end hardware
- busy IPSec OpenBSD firewalls on higher end hardware
However I've never run a lightly used IPSec OpenBSD firewall on
low end hardware, and so I don't have a good feel for if it's going
to push the envelope. I'd like to keep the unit cost down for the
remote sites, if possible.
Thanks in advance.
More information about the Soekris-tech
mailing list